OWASP ASVS Audit Deliverables

This document certifies that SoftSeq has verified full compliance of the software in question with an appropriate level of OWASP Application Security Verification Standard. This certificate is always accompanied by Compliance Audit Report.

This document details audit’s findings per each security requirement of OWASP ASVS, describing the observed mechanisms, and risk assessment and security findings.

Note that specific vulnerabilities are reported separately in Jira, with screenshots, problem description, potential impact assessment, and technical solution. They are linked to respective ASVS requirements in this report.

Full scope of Software Security

Secure architecture review

Manual security testing

Manual securitycode review

Business logicsecurity analysis

Production deploymentsecurity assessment

FAQ

The exact cost varies based on product’s attack surface – how many features and data-entry points it has. For preliminary estimation purposes, as a short-hand for this number, we tend to use the number of API endpoints.

As far as Software goes, pentests pale in comparison to Software Security Audits – both in depth and breadth.

Penetration Testing is a fitting security control to assess security of a mature organization – it’s staff, networks, and systems. Yet, its black-box approach is an ill choice for testing security of a web application.

Many more issues can be identified with a white-box audit in the same time-frame, and some issues, like backdoors, improper logging, data storage, etc., can only be identified reliably with access to the source code.

Crowdsourced bug-bounty programs are a great tool when used properly. They can be a very cost-effective addition to the security program – if you come prepared.

For a well tested application, with most security issues found and fixed, crowdsourced bug-hunting can bring attention of many professionals from around the globe on the cheap.

In a medium-sized web application, finding 95% of security issues before bug-bounty starts can cut its cost from $25000 down to about $1000 in the first 6 months – which is a bargain for the attention you get.

No matter how clever or expensive, they lack human context-awareness and miss most security issues that a Security Engineering intern with 3 months of training would find easily.

SoftSeq engineers have worked first-hand developing some of the worlds best DAST tools, and yet we don’t use any in our DevSecOps offering.

SAST (Static Application Security Testing) tools, while also missing many security issues, are extremely noisy. The time it takes a security engineer to find a single true-positive issue in a sea of reported false-positives is far longer than finding the same issues by hand.

Yes, most OWASP ASVS requirements cannot be verified without access to source code that underlines the mechanics of the application.

In case there are any sensitive algorithms in the software, they can normally be omitted from the source code submitted for review. Most of application’s code that handles critical security functions like authentication, session management, authorization, input processing, etc., is of little value to anyone.

Also, prior to any engagement, SoftSeq signs an NDA of customer’s choice obliging to guard and protect all transferred IP.